HIPAA: Can you prove your data has NOT been compromised?

Proof, rarely a concern

Proof that the data was safe at a particular point in time is rarely a concern for most organizations implementing security controls. There are many other areas believed to be more important. Hence, the focus is mostly on protecting information by assessing and mitigating risk associated with its loss. Part of this emphasis involves auditing access to systems in various ways, to have a record and hopefully get notified when security incidents occur. Unfortunately, auditing access to the data itself (files, databases), is rarely a priority. While the auditors accept this general approach, lack of information when it comes to which files were accessed and by whom, can turn against you in the case of a security incident.

Why is proof critical?

Somewhere at the confluence between HIPAA Security Rule and HIPAA Privacy Rule, lays a less known implication, according to which a presumed security incident without any proof that data was NOT affected, must be reported as any other definite data breach. Consequently, the entity finding itself in this situation undergoes the same process as an entity suffering a clear and proven data breach:

• Notifications to affected persons and authorities: in lack of information, most probably all customers and employees are considered involved;
• Costs of forensic investigations: usually third party companies are contracted to conduct such activities;
• Costs with customer assistance: most businesses in this situation implement call centers to help their clients with information related to the breach;
• Costs with professional financial audit: if cardholder information is presumed lost, companies offer affected people free financial monitoring over the period following the data breach.
• Legal costs, fines, etc.

Some degree of confusion exists around the topic, as initially the need to report a breach was only enforced when there was proof that data was affected. However, starting with the update “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification  Rules  Under  the  Health  Information  Technology  for  Economic and  Clinical  Health  Act  and  the  Genetic  Information  Nondiscrimination  Act” on January 25^th, 2013:

Impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.

Example of how lack of proof triggers a breach report

The security incident at Valley Anesthesiology and Pain Consultants (VAPC) is an example of such situation. In this case, there was a presumed security incident without any proof that data was affected, but was still reported under HIPAA, as neither evidence that the data was not affected could be found.

On June the 13^th 2016, the management learned about a possible security incident occurring on March the 30^th, whereby an external attacker has gained access to critical computer systems. The company has hired forensic investigators who did not find any evidence that the data on these systems was compromised. Nevertheless, since neither proof that the data was untouched could be found, VAPC has started notifying affected persons and made an official report on August 11, 2016. Over 882,000 customers and all employees were considered affected by this incident.

How we can help

TEMASOFT FileMonitor, our file monitoring software, offers detailed data access auditing functionality enabling healthcare companies to:

• Deliver alerts when access to data occurs outside configured parameters (user accounts, time intervals, authorized applications, etc.);
• Maintain detailed audit trails of basic and complex file operations, enabling entities to prove whether access to data occurred or not, together with sufficient information to allow further forensic correlation with other audit trails related to security incidents.

TEMASOFT offers this functionality for FREE for up to two workstation PCs, for personal use.

Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.

References:

http://www.valley.md/securityupdate

http://www.privacydatabreach.com/2016/08/arizona-anesthesia-group-notifies-882590-patients-of-data-breach/

https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf